From 7755b146f6c6b43da2d1467bbf8b1fc4e94523fe Mon Sep 17 00:00:00 2001 From: Alexander Yastrebov Date: Mon, 4 Mar 2024 17:59:21 +0100 Subject: [PATCH] skipper: update hostname-credentials-controller The logic previously implemented by secret-combiner was moved into hostname-credentials-controller. Signed-off-by: Alexander Yastrebov --- cluster/manifests/deletions.yaml | 14 +++ .../hostname-credentials-controller.yaml | 42 +++++++- .../manifests/skipper/secret-combiner.yaml | 98 ------------------- 3 files changed, 54 insertions(+), 100 deletions(-) delete mode 100644 cluster/manifests/skipper/secret-combiner.yaml diff --git a/cluster/manifests/deletions.yaml b/cluster/manifests/deletions.yaml index 8b3b41a946..060f777072 100644 --- a/cluster/manifests/deletions.yaml +++ b/cluster/manifests/deletions.yaml @@ -4,6 +4,20 @@ pre_apply: namespace: kube-system kind: Deployment +# TODO: remove after rollout +- kind: CronJob + name: secret-combiner + namespace: kube-system +- kind: RoleBinding + name: secret-combiner + namespace: kube-system +- kind: Role + name: secret-combiner + namespace: kube-system +- kind: ServiceAccount + name: secret-combiner + namespace: kube-system + # everything defined under here will be deleted after applying the manifests post_apply: - name: cronjob-monitor diff --git a/cluster/manifests/skipper/hostname-credentials-controller.yaml b/cluster/manifests/skipper/hostname-credentials-controller.yaml index 058881be8b..90e3b40a08 100644 --- a/cluster/manifests/skipper/hostname-credentials-controller.yaml +++ b/cluster/manifests/skipper/hostname-credentials-controller.yaml @@ -1,5 +1,5 @@ # {{ if eq .Cluster.ConfigItems.skipper_oauth2_ui_login "true" }} -# {{ $version := "main-11" }} +# {{ $version := "main-12" }} apiVersion: v1 kind: ServiceAccount metadata: @@ -56,6 +56,42 @@ subjects: name: hostname-credentials-controller namespace: kube-system --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: hostname-credentials-controller + namespace: kube-system + labels: + application: skipper-ingress + component: hostname-credentials +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - list + - get + - create + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: hostname-credentials-controller + namespace: kube-system + labels: + application: skipper-ingress + component: hostname-credentials +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: hostname-credentials-controller +subjects: + - kind: ServiceAccount + name: hostname-credentials-controller + namespace: kube-system +--- apiVersion: batch/v1 kind: CronJob metadata: @@ -91,10 +127,12 @@ spec: args: - -ingress-selector=application - -credentials-namespace=kube-system - - -credentials-name-template={hostname}-grant-credentials + - -credentials-name-template={host}-grant-credentials - -credentials-selector=application=skipper-ingress,component=hostname-credentials - -credentials-labels=application=skipper-ingress,component=hostname-credentials - -credentials-redirect-uri-path={{ .Cluster.ConfigItems.skipper_oauth2_redirect_uri_path }} + - -combined-secret-name=hostname-credentials + - -combined-secret-labels=application=skipper-ingress,component=hostname-credentials-combined resources: limits: cpu: 10m diff --git a/cluster/manifests/skipper/secret-combiner.yaml b/cluster/manifests/skipper/secret-combiner.yaml deleted file mode 100644 index b020b512b6..0000000000 --- a/cluster/manifests/skipper/secret-combiner.yaml +++ /dev/null @@ -1,98 +0,0 @@ -# {{ if eq .Cluster.ConfigItems.skipper_oauth2_ui_login "true" }} -# {{ $version := "main-5" }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: secret-combiner - namespace: kube-system - labels: - application: skipper-ingress - component: hostname-credentials ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: secret-combiner - namespace: kube-system - labels: - application: skipper-ingress - component: hostname-credentials -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - list - - get - - create - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: secret-combiner - namespace: kube-system - labels: - application: skipper-ingress - component: hostname-credentials -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: secret-combiner -subjects: - - kind: ServiceAccount - name: secret-combiner - namespace: kube-system ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: secret-combiner - namespace: kube-system - labels: - application: skipper-ingress - component: hostname-credentials -spec: - schedule: "* * * * *" - concurrencyPolicy: Forbid - startingDeadlineSeconds: 600 - jobTemplate: - spec: - activeDeadlineSeconds: 30 - backoffLimit: 1 - template: - metadata: - labels: - application: skipper-ingress - component: hostname-credentials - annotations: - logging/destination: "{{.Cluster.ConfigItems.log_destination_infra}}" - spec: - serviceAccountName: secret-combiner - restartPolicy: Never - containers: - - name: combiner - image: "container-registry.zalando.net/gwproxy/secret-combiner:{{ $version }}" - terminationMessagePolicy: FallbackToLogsOnError - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: SELECTOR - value: application=skipper-ingress,component=hostname-credentials - - name: COMBINED_NAME - value: hostname-credentials - - name: COMBINED_LABELS - value: application=skipper-ingress,component=hostname-credentials-combined - - name: COMBINED_DATA_KEY_TEMPLATE - value: "{secret_name}-{data_key}" - resources: - limits: - cpu: 10m - memory: 50Mi - requests: - cpu: 10m - memory: 50Mi -# {{ end }}